Phil Mayers wrote: > George C. Kaplan wrote: >> I've been wondering about this, in relation to the rlm_perl module. We >> see "Don't set Auth-Type in the users file" all over the place, but with >> rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for >> authorization, I *have to* set the Auth-Type in the users file. > > You shouldn't really ever have to set it AT ALL, EVER, though some of > the fixes that make that a doable proposition are only in newer (CVS?) > versions of FR - e.g. the reworking of the PAP module, optional setting > of the Auth-Type on the ldap module, {algo} detection in the > User-Password field, and so forth. > [...] > The only case I can see where you need to Auth-Type is when you have a > need for >1 copy of an authentication algorithm with different > parameters e.g. for different services.
Or you're using an authentication method (Kerberos, in my case) that isn't one of the standard methods assocated with the authorization module. (As Alan points out, you have to know what you're doing to make this work). > This can typically be handled > more cleanly IMHO with Autz-Type. So, for example: > > modules { > # shared modules - no state, irrelevant which service they answer > chap { > authtype = CHAP > } > # service 1 modules > mschap mschap1 { > # we'll to MS-CHAP internally > authtype = MS-CHAP1 > } Right; you configure each authorization module to set the appropriate Auth-Type. In my case, I'm using a combination of LDAP and perl for authorization (see my reply to Florian Prester earlier) and Kerberos for authentication. There's no place in the LDAP module config to set Auth-Type (although maybe that'll change soon, as you note), and I couldn't do it in the perl module (in the config or the script) either. >> This isn't really a problem (since it all works the way I want), but it >> seems inconsistent, especially considering that other modules can modify >> the request or check items. So, why were %RAD_CHECK and %RAD_REQUEST >> made read-only? > I can't say specifically in that case. It does seem odd. But that still > doesn't make setting Auth-Type any cleaner ;o) Well, if you're using rlm_perl for authorization, you're already doing something out of the ordinary, so you really need to know what you're doing in the first place. It seems better to set the Auth-Type there than in the users file, where the more mundane parts of the RADIUS config live. -- George C. Kaplan [EMAIL PROTECTED] Communication & Network Services 510-643-0496 University of California at Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html